When CIO Means Chief Insight Officer

Cyber risk is top of mind for most CEOs, accord­ing to a recent survey by Marsh. Heightened aware­ness and increased risk has led companies to look for more ef­fective ways of dealing with cyber vul­nerability, most notably in the guise of new technology and insurance solutions. As a result, CIOs are front and center in organizations’ risk management efforts. Effective management of cyber risks de­mands CIOs’ unique insights about the vulnerability of critical organizational assets as well as their active collabora­tion with other key risk-management personnel, e.g. the Insurance Manager and the Risk Manager.

Insurance companies have devel­oped sophisticated solutions to help their clients mitigate the impact of cy­ber risk, including first party and third party coverages and enhanced tradition­al insurance lines with minimum cyber coverages. Meanwhile, technology and security companies continue to develop state-of-the-art vulnerability-manage­ment, information-protection, and inci­dent-response tools to analyze, monitor, prevent, and/or manage cyber-attacks and events.

Despite advances on both fronts, organizations remain vulnerable to cy­ber risk. A recent example of continued vulnerability is the ransomware attack on the Hollywood Presbyterian Medical Center in California. The attack confis­cated some of the hospital’s networks and caused the hospital to divert emer­gency room patients to other centers. The hospital claims patient care was not compromised. To resolve the issue, the hospital ended up paying the hack­ers the $17,000 ransom in Bitcoin. One reason for this continued vulnerability is the fact that too many organizations see their insurance and technology solutions as separate, parallel efforts. Organiza­tions must integrate cyber risk into their ERM programs, leverage the combined strengths of insurance and technology solutions, and create a culture of cyber-risk awareness.

The following three steps are key to this effort:

STEP 1: Measurement – Risk Assessment

Identify, assess, and measure cyber risks with the tools your organization is al­ready using for enterprise-wide risk as­sessment. The cyber risks should then be included in your organization’s risk heat map, risk register, risk tolerance report, and risk appetite statement. This initial step is critical for several reasons. Doing so creates greater visibility and transpar­ency; promotes organizational owner­ship of and commitment to managing cyber risks; makes management of each risk a shared responsibility; and allows the Board of Directors to take the lead.

​CIOs are front and center in organizations’ risk management efforts

A common challenge at this stage is figuring out how to measure the quali­tative and quantitative impacts of each cyber risk. While a thorough discussion of how to measure cyber risks’ impact is an issue for another article, there are a number of approaches ERM profes­sionals apply that are highly effective in estimating the operational and financial impact of cyber risks. Any successful ap­proach considers the following: reported losses (including decrease in value) from cyber risks; reported impact on critical operations and assets; frequency or prob­ability of cyber-attacks or events; and expected payouts insured parties would receive from cyber insurance coverages.

The CIO, Risk Manager, and Insur­ance Manager would work together in this stage as follows: The CIO would convey to the Risk Manager the assets or operations cyber-attacks or events would potentially affect. The Risk Man­ager (aided by an ERM professional) would estimate the potential losses on assets or operations associated with at­tacks/events. The CIO’s scenario analy­sis would be the foundation for accurate estimates of potential losses.

The Risk Manager would benchmark the estimates to reported cyber risk losses of similar organizations. The resulting amount would serve as the proxy for the organization’s expected cyber risks loss­es; this amount would then be adjusted based on expected payout(s) from cyber insurance coverages. Initiating and op­erating a cyber risk assessment program also helps the Board of Directors fulfill their obligations and reduces their liabil­ity. By assessing its cyber risk, an organi­zation can get an idea of where its vulner­abilities are and what protective actions would make the economic sense.

STEP 2: Document–Risk Register

The second step for integrating cyber risks into an ERM program is to docu­ment key aspects of each cyber risk in the risk register (as illustrated below).

As the in-house technology expert, the CIO must work closely with the Risk Manager to accurately characterize and describe each risk as outlined above. When done properly and with sufficient level of detail, this documentation will provide important insights into your company’s cyber vulnerability and its readiness to deal with potential threats. The CIO is uniquely qualified to take the lead on this step because the CIO under­stands the organization’s IT infrastruc­ture and architecture. In addition, he or she is in the best position to evaluate the efficacy of the entire IT operation.

Once the risk register is populat­ed, the Risk Manager must ensure it is continuously updated and used by the Board and/or ERM committee. The dy­namic nature of the risk register means that the CIO should be available to both the Board and the ERM committee as needed.

STEP 3: Culture of Cyber Security

The final step involves fostering a cul­ture of cyber-security awareness. This includes educating the entire organiza­tion and relevant third parties (such as contractors and consultants) about the company’s cyber risk profile and incen­tivizing all stakeholders to play a part in preventing, managing, and mitigat­ing cyber risk. One successful approach is to conduct cyber risk webinars to educate business leaders every quar­ter; another is to run cyber risk drills to reinforce the behaviors expected of employees and third parties in the event of an attack. Education is critical for de­veloping not only appropriate solutions but in helping all employees and third parties (such as contractors) understand the role, they play in keeping a company cyber-secure.

The organization should also for­mulate a cyber security response plan. Having a written cyber security re­sponse plan, and documenting the or­ganization’s cyber security program and policies generally, is a great way to formalize its culture of cyber security so everyone is on the same page. Finally, as part of the culture of cyber security, the CIO should work with the Risk Manager and HR to establish incentive programs to reward appropriate behaviors.

The importance of the CIO’s role in an integrated, comprehensive pro­gram around cyber risk cannot be over-emphasized. The CIO in effect is also Chief Integration Officer and Chief In­sight Officer, providing frontline infor­mation on cyber risk and determining best practices for cyber security. The ul­timate success of such a program hinges on the quality of insights and level of detail the CIO can provide to his or her risk and insurance colleagues. The com­plexity of an organization’s technology infrastructure and architecture is direct­ly proportional to the potential impact of cyber risk. The CIO can and should play a disproportionately large role in com­bating such risk.